1) {
header('Vary: Origin'); // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#CORS_and_caching
}
if (!empty($GLOBALS['SessionTableName'])) {
require_once dirname(__FILE__).'/admin/sessionlib.php';
}
@session_start(); // it may have been started already in languages
if (!isset($_POST) && isset($HTTP_POST_VARS)) {
require 'admin/commonlib/lib/oldphp_vars.php';
}
if (isset($_GET['id'])) {
$id = sprintf('%d', $_GET['id']);
} else {
$id = 0;
}
// What is id - id of subscribe page
// What is uid - uid of subscriber
// What is userid - userid of subscriber
$userid = '';
$userpassword = '';
$emailcheck = '';
if (isset($_GET['uid']) && $_GET['uid']) {
$req = Sql_Fetch_Row_Query(sprintf('select subscribepage,id,password,email from %s where uniqid = "%s"',
$tables['user'], $_GET['uid']));
$id = $req[0];
$userid = $req[1];
$userpassword = $req[2];
$emailcheck = $req[3];
} else {
$userid = '';
$userpassword = '';
$emailcheck = '';
}
if (isset($_REQUEST['id']) && $_REQUEST['id']) {
$id = sprintf('%d', $_REQUEST['id']);
}
// make sure the subscribe page still exists
$req = Sql_fetch_row_query(sprintf('select id from %s where id = %d', $tables['subscribepage'], $id));
if (!$req) {
$id = 0;
}
$msg = '';
if (!empty($_POST['sendpersonallocation'])) {
if (isset($_POST['email']) && $_POST['email']) {
$uid = Sql_Fetch_Assoc_Query(sprintf('select uniqid,email,id,blacklisted from %s where email = "%s"',
$tables['user'], sql_escape($_POST['email'])));
if ($uid['blacklisted']) {
$msg .= $GLOBALS['strYouAreBlacklisted'];
} elseif ($uid['uniqid']) {
sendMail($uid['email'], getConfig('personallocation_subject'),
getUserConfig('personallocation_message', $uid['id']), system_messageheaders(), $GLOBALS['envelope']);
$msg = $GLOBALS['strPersonalLocationSent'];
addSubscriberStatistics('personal location sent', 1);
} else {
$msg = $GLOBALS['strUserNotFound'];
}
}
}
if (isset($_GET['p']) && $_GET['p'] == 'subscribe') {
$_SESSION['userloggedin'] = 0;
$_SESSION['userdata'] = array();
}
$login_required =
(ASKFORPASSWORD && $userpassword && $_GET['p'] == 'preferences') ||
(ASKFORPASSWORD && UNSUBSCRIBE_REQUIRES_PASSWORD && $userpassword && $_GET['p'] == 'unsubscribe');
if ($login_required && empty($_SESSION['userloggedin'])) {
$canlogin = 0;
if (!empty($_POST['login'])) {
// login button pushed, let's check formdata
if (empty($_POST['email'])) {
$msg = $strEnterEmail;
} elseif (empty($_POST['password'])) {
$msg = $strEnterPassword;
} else {
if (ENCRYPTPASSWORD) {
$encP = encryptPass($_POST['password']);
$canlogin = false;
$canlogin =
!empty($encP) &&
!empty($_POST['password']) &&
!empty($emailcheck) &&
$encP == $userpassword && $_POST['email'] == $emailcheck;
// print $_POST['password'].' '.$encP.' '.$userpassword.' '.$canlogin; exit;
} else {
$canlogin = $_POST['password'] === $userpassword && $_POST['email'] === $emailcheck;
}
}
if (!$canlogin) {
$msg = '
'.$strInvalidPassword.'
';
} else {
session_regenerate_id();
loadUser($emailcheck);
$_SESSION['userloggedin'] = getClientIP();
}
} elseif (!empty($_POST['forgotpassword'])) {
// forgot password button pushed
if (!empty($_POST['email']) && $_POST['email'] == $emailcheck) {
sendMail($emailcheck, $GLOBALS['strPasswordRemindSubject'],
$GLOBALS['strPasswordRemindMessage'].' '.$userpassword, system_messageheaders());
$msg = $GLOBALS['strPasswordSent'];
} else {
$msg = $strPasswordRemindInfo;
}
} elseif (isset($_SESSION['userdata']['email']['value']) && $_SESSION['userdata']['email']['value'] == $emailcheck) {
// Entry without any button pushed (first time) test and, if needed, ask for password
$canlogin = $_SESSION['userloggedin'];
$msg = $strEnterPassword;
}
} else {
// Logged into session or login not required
$canlogin = 1;
}
if (!$id) {
// find the default one:
$id = getConfig('defaultsubscribepage');
// fix the true/false issue
if ($id == 'true') {
$id = 1;
}
if ($id == 'false') {
$id = 0;
}
if (!$id) {
// pick a first
$req = Sql_Fetch_row_Query(sprintf('select ID from %s where active', $tables['subscribepage']));
$id = $req[0];
}
}
$pagedata = array();
if ($id) {
$GLOBALS['pagedata'] = PageData($id);
if (isset($pagedata['language_file']) && is_file(dirname(__FILE__).'/texts/'.basename($pagedata['language_file']))) {
@include dirname(__FILE__).'/texts/'.basename($pagedata['language_file']);
// Allow customisation per installation
if (is_file($_SERVER['DOCUMENT_ROOT'].'/'.basename($pagedata['language_file']))) {
include_once $_SERVER['DOCUMENT_ROOT'].'/'.basename($pagedata['language_file']);
}
}
}
/*
We request you retain the inclusion of pagetop below. This will add invisible
additional information to your public pages.
This not only gives respect to the large amount of time given freely
by the developers but also helps build interest, traffic and use of
phpList, which is beneficial to it's future development.
Michiel Dethmers, phpList Ltd 2000-2017
*/
include 'admin/ui/'.$GLOBALS['ui'].'/publicpagetop.php';
if ($login_required && empty($_SESSION['userloggedin']) && !$canlogin) {
echo LoginPage($id, $userid, $emailcheck, $msg);
} elseif (!empty($_GET['pi']) && isset($plugins[$_GET['pi']])) {
$plugin = $plugins[$_GET['pi']];
if (!empty($_GET['p']) && in_array($_GET['p'], $plugin->publicPages)) {
$page = $_GET['p'];
if (is_file($include = $plugin->coderoot.$page.'.php')) {
require $include;
} else {
FileNotFound();
}
} else {
FileNotFound();
}
} elseif (isset($_GET['p']) && preg_match("/(\w+)/", $_GET['p'], $regs)) {
if ($id) {
switch ($_GET['p']) {
case 'subscribe':
$success = require 'admin/subscribelib2.php';
if ($success != 2) {
echo SubscribePage($id);
}
break;
case 'asubscribe': //# subscribe with Ajax
$_POST['subscribe'] = 1;
if (isset($_GET['email']) && !isset($_POST['email'])) {
$_POST['email'] = $_GET['email'];
}
if (!isset($_POST['list'])) {
foreach (explode(',', $GLOBALS['pagedata']['lists']) as $listid) {
$_POST['list'][$listid] = 'signup';
}
}
$_POST['htmlemail'] = 1; //# @@ should actually be taken from the subscribe page data
$success = require 'admin/subscribelib2.php';
$result = ob_get_contents();
ob_end_clean();
if (stripos($result, $GLOBALS['strEmailConfirmation']) !== false ||
stripos($result, $pagedata['thankyoupage']) !== false
) {
if (!empty($pagedata['ajax_subscribeconfirmation'])) {
$confirmation = $pagedata['ajax_subscribeconfirmation'];
} else {
$confirmation = getConfig('ajax_subscribeconfirmation');
}
if (empty($confirmation)) {
echo 'OK';
} else {
echo $confirmation;
}
exit;
} else {
// we failed to subscribe the user; send an error back to
// the ajax client
echo 'FAIL';
// return a 500, so that it is more easily processed at the other end
http_response_code( 500 );
}
break;
case 'preferences':
if (!isset($_GET['id']) || !$_GET['id']) {
$_GET['id'] = $id;
}
if (!$userid) {
// print "Userid not set".$_SESSION["userid"];
echo sendPersonalLocationPage($id);
break;
}
if (ASKFORPASSWORD && $userpassword && !$canlogin) {
echo LoginPage($id, $userid, $emailcheck);
break;
}
$success = require 'admin/subscribelib2.php';
if ($success != 3) {
echo PreferencesPage($id, $userid);
}
break;
case 'forward':
print ForwardPage($id);
break;
case 'confirm':
print ConfirmPage($id);
break;
case 'vcard':
print downloadvCard();
break;
//0013076: Blacklisting posibility for unknown users
case 'donotsend':
case 'blacklist':
case 'unsubscribe':
print UnsubscribePage($id);
break;
default:
FileNotFound();
}
} else {
FileNotFound();
}
} else {
// If no particular page was requested then show the default
echo ''.$GLOBALS['strSubscribeTitle'].'';
echo $pagedata['header'];
$req = Sql_Query(sprintf('select * from %s where active', $tables['subscribepage']));
// If active subscribe pages exist then list them
if (Sql_Affected_Rows()) {
while ($row = Sql_Fetch_Array($req)) {
$intro = Sql_Fetch_Row_Query(sprintf('select data from %s where id = %d and name = "intro"',
$tables['subscribepage_data'], $row['id']));
echo stripslashes($intro[0]);
if (SHOW_SUBSCRIBELINK) {
printf('
', $row['id'],
strip_tags(stripslashes($row['title'])));
}
}
// If no active subscribe page exist then print link to default
} else {
if (SHOW_SUBSCRIBELINK) {
printf('
'.
$msg.'';
$res .= $GLOBALS['PoweredBy'];
$res .= $GLOBALS['pagedata']['footer'];
return $res;
}
$current = Sql_Fetch_Array_query(sprintf('select list.id as listid,user.uniqid as userhash, user.password as password
from %s as list,%s as listuser,%s as user where list.id = listuser.listid and user.id = listuser.userid and user.email = "%s"',
$tables['list'], $tables['listuser'], $tables['user'], sql_escape($email)));
$some = $current['listid'];
if (ASKFORPASSWORD && !empty($user['password'])) {
// it is safe to link to the preferences page, because it will still ask for
// a password
$hash = $current['userhash'];
} elseif (isset($_GET['uid']) && $_GET['uid'] == $current['userhash']) {
// they got to this page from a link in an email
$hash = $current['userhash'];
} else {
$hash = '';
}
$finaltext = $GLOBALS['strUnsubscribeFinalInfo'];
$pref_url = getConfig('preferencesurl');
$sep = strpos($pref_url, '?') !== false ? '&' : '?';
$finaltext = str_ireplace('[preferencesurl]', $pref_url.$sep.'uid='.$hash, $finaltext);
if (!$some) {
//0013076: Blacklisting posibility for unknown users
if (!$blacklistRequest) {
$res .= ''.$GLOBALS['strNoListsFound'].'';
}
$res .= '